Use of/alignment with Anaconda #91
Comments
|
Yes. However, one important architectural point here is that currently lmc/lorax create loopback devices and require SELinux permissive or disabled. If we were to integrate them here, I would prefer we inject them into transient "utility" VMs and extract the output from that. This way we don't affect the host system - we won't leak loopback devices on failure, we don't require the host to turn off SELinux. And more generally, we can "scale out" builds using e.g. Kubernetes as long as we have virt capabilities. |
|
Looking quickly a bit more at LMC, I had forgotten it supports two modes, including one that does the heavy lifting in qemu. |
Yes that's the impression I got as well. In addition, it creates the squashfs and PXE scripts. It seems to be a nicely rounded tool. Doesn't it also see use in Pungi? As long as it still sees use in upstream fedora could it be useful here? Reading through creator.py it includes some validation that might be useful: Disk Image: https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L642 -> https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L459 (Where @cgwalters was indicating the dual modes https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L478) into virt_install https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L484 -> https://github.com/weldr/lorax/blob/master/src/pylorax/installer.py#L486 into mkfsimage_from_disk https://github.com/weldr/lorax/blob/master/src/pylorax/installer.py#L550 -> https://github.com/weldr/lorax/blob/master/src/pylorax/imgutils.py#L508 (function completes and branches back up to creator.py) https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L698 into make_live_images https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L704 -> https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L496 (includes some disk logic between L518-L547) build initramfs rebuild_initrds_for_live https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L566 -> https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L210 (looks like the dracut build doesn't take params from the rpm-ostree definition, this makes sense given that lorax is ostree specific. I wonder how Pungi handles rpm-ostree to ostree to LMC dracut arguments? L219-L227 Dracut is run on L272. Looking at how dracut is built.) TLDR; Should atomic-assembler consider using LMC to build artifacts rather than something else to maintain? Since LMC is used in upstream Fedora/Atomic releases, it might be worthwhile to investigate as artifact creation. As far as I can tell, it uses the same VM process atomic-assembler does. If we continue using an in-house build system, there's a well documented python api which can generate a fsimage https://github.com/weldr/lorax/blob/master/src/pylorax/imgutils.py#L508, initramfs https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L210, and PXE scripts https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L572-L575 https://github.com/weldr/lorax/blob/master/src/pylorax/creator.py#L280 |
We aren't using it today, but we might use it in the future - or we may at least share code. Since this container is enormous anyways, there's no real downside to adding the dep now. For more information, see discussion in: coreos#91
|
OK, first: I just put up #113 Now, long story time. I spent quite a while thinking about When Atomic/rpm-ostree was first created, I very intentionally (Further, ostree being agnostic about underlying block storage And to me, rpm-ostree excels at the "pet system" case - that So I don't think we're going to delete the rpmostreepayload code However...the usage of Ignition for Fedora CoreOS Using Ignition has a lot of consequences - it means that For example, see systemd/systemd#8268 (comment) Now potentially, we could teach anaconda about this - it And more importantly, I am convinced now for many reasons Hence, I think the balance weighs towards not using Anaconda And now here's the thing - all of the current image-building Another major technical point here is that for ostree-based And consequently, the usage of Anaconda is much much smaller. As soon as you ship an OSTree-based system it has huge The code today in coreos-assembler ties the ostree and All this to say: I think we should share code with |
|
The current situation of using Anaconda both for per-system installs and as a "golden image" building tool creates a lot of tension and problems. For example, when generating a Fedora Cloud or Atomic Host image, we don't want the system go out and do geolocation to try to find the current timezone. We don't want it to persist Today, we often work around these sorts of things in kickstarts. But things feel a lot cleaner if Anaconda can primarily focus on "per-system" installs, and we have tooling (that again shares code where it makes sense) dedicated to making "unconfigured golden images". Of course, since coreos-assembler obviously isn't going to be building "classic" images like Fedora Cloud, us not using Anaconda for that increases the likelihood of bugs there. But to me that's the past 😄 There's also the "LiveOS" style systems like current Fedora Workstation. That one falls in the middle, but it seems fine to me to keep using LMC for it. The real "middle" case is Silverblue...whether we use coreos-assembler to build that is a whole other question - whether we support Ignition for it...a messy topic. |
|
@cgwalters cheers for the good read. There's a lot about the underlying utilities that I do not understand. How does the current coreos-assembly differ from being a vm wrapper to install an ostree and ship as an image? One other difference between LMC and coreos-assembler's virt-install... the network is disabled and the ostree is mounted as a filesystem https://github.com/coreos/coreos-assembler/blob/master/src/virt-install#L112 so I'll mention that in the pull request. |
No, it currently just runs Anaconda in a VM (via Today, this project (coreos-assembler) does not generate an installer ISO, or a |
|
So, where is this project headed in terms of Ignition vs Anaconda?
I totally agree with this. Using an interpreted language as init system scripting feels wrong in terms of predictability. Ditching Anaconda feels like it should have its own issue; however, it ties in by branching the installation process away from LMC and the current coreos-assembly process. In which case, how will base images be built? If we're not using fedora_everything, will the wrapper pass in build commands via qemu into the VM? Will we have to maintain our own base image? Additionally, is there any issue with branding? Removing Anaconda/kickstart might be feasible (oddly) through using Lorax instead of LMC. A quick read of the docs indicate that fedora_everything is built through Lorax. Merging a dnf squashfs with basic kernel to create a system image. Would it be possible to use this process? It would require some creativity with rebasing without initializing. |
In my opinion, we should use supermin to inject content from the container into "utility VMs" - we'd create filesystems and install the bootloader etc. from there. A major advantage of this is that we don't need to download a separate installer ISO - there is only the coreos-assembler container content. And end users don't use it either - they will just have a |
Looking at the example, supermin looks powerful and light! I guess this sets us back to square one though as far as extracting vmlinuz, initramfs, and squashfs from the appliance. |
No, the appliance is a server-side only thing. As far as artifacts consumed by end users, I think we'd generate a It's interesting, it looks to me like Container Linux today puts the whole OS in the initramfs for iPXE, see https://coreos.com/os/docs/latest/booting-with-ipxe.html |
|
In contrast, Anaconda today has only a slightly custom initramfs, and downloads the "stage2" - the much bigger squashfs with Anaconda inside - itself. |
|
So supermin --prepare creates an appliance definition with packages, --build -f ext2 --copy-kernel builds vm artifacts (initrd, kernel, hda) with the host kernel, and then coreos-assembler uses guestfish to pass in the arguments to configure the ostree and generate a new initramfs in the qemu booted vm. Are there any concerns with creating the kernel this way since ignition needs a kernel mod? Or is that up to the rpm-ostree generated dracut initramfs created inside the supermin generated vm? Will copying the device tree through --copy-kernel create any issues? |
No - the ostree commit contains the initramfs. VM and disk images are just "wrappers" around the ostree commit which has basically everything that isn't the filesystem/disk formats. |
|
Ok, maybe I'll get it this time... The ostree commit is built in the container, it contains the initramfs. PXE artifacts would be the ostree initramfs, supermin kernel, and modified hda? Update: I've spent some time today messing around with supermin. There are a couple of overlaps and it "seems" that supermin is really relevant as a tool which can create an ext2 image that includes rpm packages such as bash and rpm-ostree. It'll copy the fedora-28-everything x86_64 kernel fine but that can be switched out for other kernel builds easily. The only discardable artifact is the supermin generated initramfs. Swap that out with the rpm-ostree generated dracut initramfs.img? Feels really slick since I'm inferring from initramfs documentation that the generated dracut initramfs will initialize the ostree repo. |
In our case, it's really the kernel in the assembler container, which can be different from the target system defined in the config. Today the container is actually f28 and the default config f29, but e.g. a supported use case would be having us rebase the assembler container to f29, but someone continues to build f28 systems from it - and all of this is distinct from the host system.
No, the supermin VM wouldn't be booted with the target kernel or initramfs, but with the assembler container's version. It would write to a disk image which was a file on the host system. |
|
/cc @nhorman for visibility |
|
One thing I want to tie in here too is that based on the discussion in coreos/fedora-coreos-tracker#18 (comment) We will actually need two raw disk images; one for 512b hard drives and one for 4k. |
|
For reference, previous code I wrote that uses libguestfs + the libostree API to make disk images: https://gitlab.gnome.org/GNOME/gnome-continuous/blob/master/src/js/libqa.js However...I think SELinux makes this harder. We will need to take care of labeling all of the files we generate afterwards using the policy in the target root. |
|
Retitling this issue as it ended up being a lot of "CoreOS and Anaconda". |
|
The things I think we need to keep in mind sharing with Anaconda are:
|
That said I was thinking about this - clearly Anaconda could just create It's probably fairly solvable to have a single OSTree build that could be consumed by Anaconda as well as injected into CoreOS-style systems. |
|
Also, another thing related to this is https://bugzilla.redhat.com/show_bug.cgi?id=1061478 |
Maybe it's already clear, but just for the record, that #732 is for non-anaconda path. |
|
@cgwalters as I mentioned last week, @larskarlitski and @teg are working on alternate tooling to build osimages breaking away from anaconda/lorax to be free of simmilar issues. Rpm-ostree are in the future roadmap https://github.com/osbuild/osbuild we should collaborate. |
OK, a bit ironic though to discuss code sharing with osbuild (which is avoiding Anaconda) in this issue which is about code sharing/alignment with Anaconda 😉 So I moved that to osbuild/osbuild#93 |
Actually, we have had some preliminary discussions about code sharing between Anaconda and osbuilder, namely bootloader configuration and possibly other things that are shared between system installation & image generation. |
@cgwalters Yes, you're correct. Apologies for conflating or causing any confusion of this topic. Thanks for initiating the conversation in the more appropriate place. |
Since ppc64le has some support for this that just landed in master, remove most of the code and references to Anaconda. We create disk images directly on all architectures. Some more background in: coreos#91
Since ppc64le has some support for this that just landed in master, remove most of the code and references to Anaconda. We create disk images directly on all architectures. Some more background in: coreos#91
Since ppc64le has some support for this that just landed in master, remove most of the code and references to Anaconda. We create disk images directly on all architectures. Some more background in: coreos#91
Since ppc64le has some support for this that just landed in master, remove most of the code and references to Anaconda. We create disk images directly on all architectures. Some more background in: #91
|
I'm going to close this old issue. |
Add an option to the build command to output an initramfs.img and coreos.img to serve over PXE. This would support the https://github.com/coreos/matchbox project which would lead to tectonic integration. I'd be more than willing to contribute to this.
EDIT: I see a lot of parallels with https://github.com/weldr/lorax/blob/master/docs/livemedia-creator.rst
The text was updated successfully, but these errors were encountered: